Outsourcing information technology functions to the cloud entails risk for both companies and cloud service providers, especially when sensitive data is stored in the cloud. Sensitive data carries business risk and may be subject to a host of legal and regulatory requirements. Cloud service agreements, which typically use the cloud service provider’s forms, do not by default align enterprise risks with provider obligations.
Risk allocation may shift based on a variety of factors, including the cloud service model (Software as a Service, Platform as a Service, or Infrastructure as a Service), deployment model (public, private, hybrid, or community cloud), and the data being hosted. The degree to which a cloud transaction can be negotiated likewise varies, so companies should involve legal counsel early in the procurement process to help tailor their agreement to fit the organization’s risk profile. At a minimum, such tailoring includes clearly documenting the cloud service provider’s responsibilities (particularly those related to both data privacy/security and allocations of liability), and providing for meaningful remedies in the event of a breach of contract.
As part of our year-end review series, below we provide five practice pointers regarding provider responsibility in enterprise cloud service agreements. Cloud service providers should (1) furnish evidence of data security standards and promise compliance with applicable laws, (2) indemnify enterprise customers against major risks, (3) accept higher limitations of liability for major risks where the provider is at fault, (4) carry adequate insurance, and (5) acknowledge customer ownership of data and limit use of that data to contractually stipulated purposes.
- Representations and Warranties
Boilerplate cloud service agreements may not obligate cloud service providers to maintain robust data security procedures and practices. While a lower level of security may be acceptable for an entry-level service (such as Software as a Service deployed through a public cloud) when sensitive data is not involved, higher levels of security should be required when sensitive data is at issue. Stakeholders should carefully review the cloud service provider’s data security standards to ensure alignment with the risk tied to the data. The information security team should measure the provider’s standards against the company’s internal standards, and business stakeholders and legal counsel should assess whether the provider’s standards meet applicable business and legal requirements.
Many cloud service agreements contain provisions obligating the provider to implement “reasonable security measures,” but this standard is vague and can be difficult to enforce. Similarly, many cloud service agreements reference third-party information security certifications such as ISO 27001 (a set of requirements for an information security management system). Third-party data security certifications merely serve as a starting point for a thorough review of the provider’s data security practices. Companies should request copies of the cloud service provider’s internal data security policies, which could be provided subject to a non-disclosure agreement.
Audit provisions grant companies the right to monitor the provider’s security practices. Companies may find it difficult to obtain first-party audit rights (such as site visits and penetration testing) given the shared environment of the cloud implementation. For example, allowing penetration testing by one customer may constitute a breach with respect to other customers. Further, the cost of auditing, even when permitted, may be prohibitive. Regardless of whether first-party audit rights are available, companies should require their providers to verify operational integrity via third-party audits results, such as SOC 2 Type II reports (which evaluate a service provider’s information systems based on principles such as security, confidentiality, and privacy).
Several key warranty provisions should be sought in addition to a general warranty of adherence to industry best practices. For one, cloud service providers should warrant that they will comply with all laws and regulations applicable to them. Consider expressly naming any laws of particular relevance in the agreement.
Cloud service providers also should warrant that their technology does not infringe the intellectual property (IP) rights of any third parties. A provider’s cloud technology may involve a complex interplay between systems and network appliances, proprietary technology, licensed third-party software and open source software. As the architect of the service, the provider should bear the responsibility for establishing their IP rights and for protecting their enterprise customers against any potential infringement claims.
Finally, cloud service providers should warrant that they will provide notice of material confidentiality and security breaches to companies. Companies may have a duty to notify affected individuals of such breaches if required by state breach notification laws or other applicable privacy laws. Regardless of the cloud service provider’s culpability for a breach, providers often detect breaches first. As such, they should inform companies of breaches upon actual knowledge or reasonable suspicion of a breach.
At minimum, cloud service providers should provide indemnification against gross negligence or willful misconduct by the provider’s employees and subcontractors. More generally, providers should provide indemnification against provider errors that give rise to high remedial costs.
Breaches of confidentiality and security can be expensive. Although some breaches may be attributable to the provider’s failure to comply with contractual requirements or applicable laws, other breaches might not rise to this level. Draft the indemnity provisions based on the level of responsibility attributable to the cloud service provider. Companies can seek a higher cap for costs and expenses of a breach attributable to provider fault, and a lower cap for other breaches.
Consider the difference between first-party and third-party costs when the provider is at fault for the breach. When a breach occurs, companies incur significant first-party costs for providing notice to affected individuals, as well as from credit monitoring services, call center staffing, forensic investigation, legal counsel, and reputation management. Accordingly, the agreement should contemplate coverage of first-party costs (especially for notice and credit monitoring) and third-party claims when the provider is at fault. Reserve the right both to control the distribution of all required notice and to choose a reasonable provider of credit monitoring services.
Cloud service providers also should indemnify companies against IP infringement claims and remedial costs arising from violations of law. While a provider’s boilerplate language may only provide protection against claims of copyright infringement, IP indemnity provisions should cover all potential IP claims. Patent infringement suits are particularly expensive, and increasingly frequent in the cloud context. Likewise, companies should not bear the costs of remedying any violations of the law caused by the provider. Both parties should accept financial responsibility for compliance with all applicable laws and regulations.
- Limitation of Liability
The baseline limitation of liability cap typically reflects some multiplier of fees or a fixed dollar amount. Cloud service provider liability for fraud, gross negligence, and willful misconduct usually is not capped. Consider a carve-out approach to address breaches of confidentiality and security, IP infringement, and violations of law. Be careful to ensure that no other provisions in the agreement limit the amount recoverable under the carve-out. The agreement can specify a higher cap if the breach is attributable to the conduct of the provider and a lower cap for other breaches, but this approach demands a clearly defined set of provider obligations concerning data security and confidentiality.
Recently, some cloud service providers have hesitated to reimburse the costs for notice and credit monitoring services to a company’s customers following a data breach attributable to the acts or omissions of the service provider. The providers considered these costs to be included in direct damages. Ensuring that the responsibility for these costs is clearly defined in the agreement can help avoid complications in the event of a security breach.
Where cloud service providers bear responsibility for IP infringement, they should in turn bear the costs for resolving infringement claims. Depending on the limitation of liability cap for IP infringement claims, the customer may want to retain control of any lawsuits.
If a cloud service provider does not maintain sufficient liquidity, appropriate insurance coverage improves the likelihood that the customer will be reimbursed for costs associated with a qualifying event.
Commercial general liability policies typically do not cover costs associated with technology-related errors. Accordingly, cloud service providers should carry a commercial blanket bond to cover any grossly negligent acts or willful misconduct by the provider’s employees, and coverage for technical errors and omissions also should be sought. In terms of coverage amounts, risk management teams can identify threshold dollar figure requirements for each type of coverage.
Where appropriate, the company may request to be named as an additional insured on the cloud service provider’s policies, allowing the company to pursue reimbursement directly from the provider’s insurance carrier. Additionally, companies may seek a waiver of subrogation to prevent subsequent lawsuits initiated by insurers to recover costs from the party deemed to be at fault. In some cases, the willingness of a provider to meet such insurance requirements may be conditioned upon the company carrying similar coverage.
In addition, companies should consider obtaining cyber risk insurance to protect against losses associated with data security breaches, theft of personal information, data loss or destruction, and denial-of-service attacks. Cyber insurance policies offer a range of coverage, so companies should carefully weigh coverage needs against anticipated risk.
- Data Ownership and Use
Ownership and data usage rights should be clearly defined in the cloud service agreement. Cloud service agreements frequently include provisions granting the provider a license to use the customer’s data for analytics and service improvement purposes. The agreement should distinguish between using company data or metadata in an application that allows the company to evaluate cloud service performance and using such data in other applications or for other purposes.
Cloud service providers also frequently indicate that they will aggregate and/or de-identify customer data. Companies should determine the specific method(s) of de-identification or anonymization utilized by the provider. Note that data sharing by providers with third parties (such as analytics companies and advertisers) may risk violating a company’s confidentiality obligations, so carefully evaluate the implications of granting any permissions to the provider in this respect. Consider allowing the provider to use company data only for purposes absolutely necessary to the provision of the service, while prohibiting all other uses.